ConvertX Path Traversal Vulnerability Leading to Arbitrary File Deletion

A path traversal vulnerability allowing arbitrary file deletion has been identified in ConvertX versions prior to 0.17.0. The issue arises in the 'POST /delete' endpoint, where a user-controlled 'filename' value is used to construct a filesystem path. The endpoint deletes the specified file using 'unlink' without adequate validation. By exploiting this flaw with path traversal sequences, an attacker can delete files outside the designated uploads directory, depending on the server process's permissions.

Impact

Exploitation of this vulnerability allows authenticated attackers to delete any file accessible to the server process, potentially disrupting services or causing permanent data loss, such as removing database files or uploaded content.

Reproduction

To reproduce this vulnerability, log into the application to obtain a valid session. Then, send a 'POST' request to the '/delete' endpoint with a 'filename' value that includes path traversal sequences, such as '../../..'. The server will resolve the path and delete the specified file, demonstrating the arbitrary file deletion capability.

Remediation

Users can upgrade to ConvertX version 0.17.0 or later, where this vulnerability has been fixed.